Network Working Group R. Koodli
Request for Comments: 4882 Nokia Siemens Networks
Category: Informational May 2007
IP Address Location Privacy and Mobile IPv6: Problem Statement
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
In this document, we discuss location privacy as applicable to Mobile
IPv6. We document the concerns arising from revealing a Home Address
to an onlooker and from disclosing a Care-of Address to a
correspondent.
Table of Contents
1. Introduction ....................................................2
2. Definitions .....................................................3
3. Problem Definition ..............................................4
3.1. Disclosing the Care-of Address to the Correspondent Node ...4
3.2. Revealing the Home Address to Onlookers ....................4
3.3. Problem Scope ..............................................4
4. Problem Illustration ............................................5
5. Conclusion ......................................................7
6. Security Considerations .........................................7
7. Acknowledgments .................................................8
8. References ......................................................8
8.1. Normative References .......................................8
8.2. Informative References .....................................8
Appendix A. Background ............................................10
Koodli Informational [Page 1]RFC 4882 MIP6 Location Privacy May 20071. Introduction
The problems of location privacy, and privacy when using IP for
communication, have become important. IP privacy is broadly
concerned with protecting user communication from unwittingly
revealing information that could be used to analyze and gather
sensitive user data. Examples include gathering data at certain
vantage points, collecting information related to specific traffic,
and monitoring (perhaps) certain populations of users for activity
during specific times of the day, etc. In this document, we refer to
this as the "profiling" problem.
Location privacy is concerned with the problem of revealing roaming,
which we define here as the process of a Mobile Node (MN) moving from
one network to another with or without ongoing sessions. A constant
identifier with global scope can reveal roaming. Examples are a
device identifier such as an IP address, and a user identifier such
as a SIP [RFC3261] URI [RFC3986]. Often, a binding between these two
identifiers is available, e.g., through DNS [RFC1035]. Traffic
analysis of such IP and Upper Layer Protocol identifiers on a single
network can indicate device and user roaming. Roaming could also be
inferred by means of profiling constant fields in IP communication
across multiple network movements. For example, an Interface
Identifier (IID) [RFC2462] in the IPv6 address that remains unchanged
across networks could suggest roaming. The Security Parameter Index
(SPI) in the IPsec [RFC4301] header is another field that may be
subject to such profiling and inference. Inferring roaming in this
way typically requires traffic analysis across multiple networks, or
colluding attackers, or both. When location privacy is compromised,
it could lead to more targeted profiling of user communication.
As can be seen, the location privacy problem spans multiple protocol
layers. Nevertheless, we can examine problems encountered by nodes
using a particular protocol layer. Roaming is particularly important
to Mobile IP, which defines a global identifier (Home Address) that
can reveal device roaming, and in conjunction with a corresponding
user identifier (such as a SIP URI), can also reveal user roaming.
Furthermore, a user may not wish to reveal roaming to
correspondent(s), which translates to the use of a Care-of Address.
As with a Home Address, the Care-of Address can also reveal the
topological location of the Mobile Node.
This document scopes the problem of location privacy for the Mobile
IP protocol. The primary goal is to prevent attackers on the path
between the Mobile Node (MN) and the Correspondent Node (CN) from
detecting roaming due to the disclosure of the Home Address. The
attackers are assumed to be able to observe, modify, and inject
traffic at one point between the MN and the CN. The attackers are
Koodli Informational [Page 2]